{"id":19963710,"url":"https://github.com/cyberark/conjur-azure-devops-extension","last_synced_at":"2025-08-31T20:40:18.316Z","repository":{"id":39860218,"uuid":"263119520","full_name":"cyberark/conjur-azure-devops-extension","owner":"cyberark","description":"Azure DevOps Extension for retrieving secrets from CyberArk Conjur","archived":false,"fork":false,"pushed_at":"2023-09-15T15:23:51.000Z","size":417,"stargazers_count":5,"open_issues_count":5,"forks_count":2,"subscribers_count":20,"default_branch":"main","last_synced_at":"2024-06-12T04:52:57.013Z","etag":null,"topics":["azure","azure-devops","conjbot-notify","conjur","devops"],"latest_commit_sha":null,"homepage":"https://conjur.org","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cyberark.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null}},"created_at":"2020-05-11T18:06:00.000Z","updated_at":"2023-08-08T01:10:24.000Z","dependencies_parsed_at":"2022-09-09T09:22:13.321Z","dependency_job_id":null,"html_url":"https://github.com/cyberark/conjur-azure-devops-extension","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":"cyberark/conjur-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-azure-devops-extension","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-azure-devops-extension/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-azure-devops-extension/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cyberark%2Fconjur-azure-devops-extension/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cyberark","download_url":"https://codeload.github.com/cyberark/conjur-azure-devops-extension/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224374644,"owners_count":17300691,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-devops","conjbot-notify","conjur","devops"],"created_at":"2024-11-13T02:17:07.672Z","updated_at":"2024-11-13T02:17:08.380Z","avatar_url":"https://github.com/cyberark.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Conjur Azure DevOps Extension\nAzure Devops Task Extension with API Key Authentication mechanism for supporting batch retrieval of secrets from the Cyberark Conjur Secrets Manager in secured way through Azure DevOps Pipeline.\n\nThe Authentication parameters to connect to Conjur Server are configured in Service Connection.\n\n## Certification Level\n![](https://img.shields.io/badge/Certification%20Level-Community-28A745?link=https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md)\n\nThis repo is a **Community** level project. It's a community contributed project that **is not reviewed or supported\nby CyberArk**. For more detailed information on our certification levels, see [our community guidelines](https://github.com/cyberark/community/blob/master/Conjur/conventions/certification-levels.md#community).\n\n## Features\n\nThe following features are available with the Azure DevOps Extension:\n\n* API authentication\n* Batch retrieval of secrets from Conjur Server with help of secured Service Connection\n\n## Limitations\n\nThe Azure DevOps Extension does not support creating, updating or removing secrets\n\n## Technical Requirements\n\n| Technology             | Version  |\n| ---------------------- | -------- |\n| Conjur OSS             | 1.9+     |\n| Conjur Enterprise      | 12.5+    |\n| Conjur Cloud           |          |\n| Azure DevOps account   |          |\n\n# Prerequisites\n\nThe following are prerequisites to use Azure DevOps extension.\n\n## Conjur setup\n\nConjur (OSS or Enterprise or Cloud) and the Conjur CLI are installed in the environment and running in the background.\n\nThis section describes how to set up the API Authentication for Conjur OSS or Enterprise\n\n1. Define the API Authentication policy\n\n- Create a policy that defines the API Authentication, for example BotApp.\n```yaml\n- !policy\n  id: BotApp\n  body:\n    # Define a human user, a non-human identity that represents an application, and a secret\n  - !user Dave\n  - !host myDemoApp\n  - \u0026variables\n      - !variable secretVar\n      - !variable some-other-secret\n  - !permit\n    # Give permissions to the human user to update the secret and fetch the secret.\n    role: !user Dave\n    privileges: [read, update, execute]\n    resource: *variables\n  - !permit\n    # Give permissions to the non-human identity to fetch the secret.\n    role: !host myDemoApp\n    privileges: [read, execute]\n    resource: *variables\n```\n\n- Save the policy as BotApp.yml, and load it to root:\n\n```\n     conjur policy load -b root -f /path/to/file/authn-iam.yml\n```\n     \n- Conjur generates the following API keys:\n     - An API key for Dave, the human user. This key is used to authenticate user Dave to Conjur.\n     - An API key for BotApp, the non-human identity. This key is used to authenticate BotApp application to Conjur.\n\n     Those API keys is correlated with the number of Users \u0026 Hosts defined in a policy.\n\n2.  Set the secret    \n     a. Generate a secret\n\n     Generate a value for your application’s secret:\n     ```\n     secretVal=$(openssl rand -hex 12 | tr -d '\\r\\n')\n     ```\n\n     This generates a 12-hex-character value.\n\n     b. Store the secret\n\n     Store the generated value in Conjur:\n     ```\n     conjur variable set -i BotApp/secretVar -v ${secretVal}\n     ```\n\n     A policy predefined variable named `BotApp/secretVar` is set with a random\n     generated secret.\n\nThis section describes how to set up the API Authentication for Conjur Cloud\n\nPre-requisite:\n- Conjur cloud\n- Pcloud\n- Conjur cloud cli\n\n\u003csmall\u003e\u003ca href='https://docs-er.cyberark.com/ConjurCloud/en/Content/ConjurCloud/ccl-manage-users.htm?tocpath=Get%20started%7CTutorial%7C_____1'\u003eRefer the tutorial for Conjur Cloud Setup \u003c/a\u003e\u003c/small\u003e\n1. Manage Conjur Cloud users\n2. Set up the Conjur Cloud CLI\n3. Log in to Conjur Cloud\n4. Sync Privilege Cloud Safe to Conjur\n\nTo create a simple host that authenticates using an API key:\n\nCreate a policy for the host:\n\n```yaml\n- !host\n  id: \u003chost name\u003e\n  annotations:\n    authn/api-key: true\n```    \nSave the policy as myapp-host.yaml.\n\nLoad the policy file into the data policy branch:\n\n```\nconjur policy load -b data -f myapp-host.yaml\n```\n\nTo grant permissions on secrets:\n\n```yaml\n- !grant\n  role: !group delegation/consumers\n  member: !host /data/myapp\n```\n\nSave the file as grant_permissions.yml.\n\nLoad the policy to data/vault/secrets-safe:\n\n```\nconjur policy load -b data/vault/secrets-safe -f grant_permissions.yml\n```\n\n## Azure DevOps Setup\n\n* Download Conjur Azure DevOps Extension from Azure Marketplace\n* Install the extension to an Azure DevOps organization\n* Search for installed extension in Project Settings \u003e Pipelines \u003e Service connection \u003e Create service connection\n\n     \u003cimg src=\"https://github.com/cyberark/conjur-azure-devops-extension/blob/main/images/service-connection.png\" width=\"300\" height=\"300\"\u003e\n\n* Add the Conjur details in Service Connection \n\n     \u003cimg src=\"https://github.com/cyberark/conjur-azure-devops-extension/blob/main/images/setupSC.png\" width=\"400\" height=\"500\"\u003e\n\n* In Pipeline \u003e Task \u003e Search with Batch Secret Retrieval \u003e Select the Service Connection and provide path of secrets.yml file\n\n     \u003cimg src=\"https://github.com/cyberark/conjur-azure-devops-extension/blob/main/images/pipelineTask.png\" width=\"500\" height=\"500\"\u003e\n\n* secrets.yml file format  \n\n- Conjur OSS or Enterprise\n\n```yaml\nSECRET: !var BotApp/secretVar\nANOTHER_SECRET: !var some-other-secret\n```\n\n- Conjur Cloud\n\n```yaml\nSECRET: !var data/vault/secrets-safe/ado_secret_apikey/address\nANOTHER_SECRET: !var data/vault/secrets-safe/ado_secret_apikey/username\n```\n\n* Under steps in azure-pipeline.yml task is added\n\n```yaml\nsteps:\n- task: secretBatchRetrievalConnector@0\n  displayName: ConjurIntegeration\n  inputs:\n    ConjurService: 'ConjurSConnection'\n    secretsyml: './secrets.yml'\n```\n\n## Development\n\nPlease follow this guide to properaly set up this extension:\nhttps://docs.microsoft.com/en-us/azure/devops/extend/develop/add-build-task?view=azure-devops\n\n## Contributing\nWe welcome contributions of all kinds to this repository. For instructions on how to get started and descriptions\nof our development workflows, please see our [contributing guide](CONTRIBUTING.md).\n\n## License\nThis repository is licensed under Apache License 2.0 - see [`LICENSE`](LICENSE) for more details.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fconjur-azure-devops-extension","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcyberark%2Fconjur-azure-devops-extension","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcyberark%2Fconjur-azure-devops-extension/lists"}